IT has been a very familiar sight to see emails with malicious attachments pretending to be from popular shipping companies, fake IRS notifications, or other similar ploys end up in our filters here at AppRiver. Most of these are courtesy of the Zeus trojan, an easily recognizable kit born trojan hell bent on stealing banking information from unsuspecting victims. Zeus has been around for quite some time now, and due to its ease of accessibility on the underground forums, it has spread quite rapidly in the wild.Lately, though, a lesser known toolkit by the name of Blackhole has been gaining in popularity. The Blackhole toolkit was released into the underground market less than a year a go and was being sold for around $1500 US per yearly license which included support. The cost was enough to keep the rookies away and allowed operators of the new toolkit to operate relatively under the radar. That is until May of this year when the kit was made available for free in many locations. Since then we have been seeing a steady increase in the number of infections for which this kit is responsible.Initially Blackhole would simply infect legitimate websites with the proper vulnerabilities which passersby would visit and become infected via drive-by download. Now, however, an email component has been added to increase traffic to these sites which instead of being only legitimate compromised sites primarily now include a slew of random sites set up for the sole purpose of snaring victims. Early this month, after the passing of Steve Jobs, we began to see emails, claiming through a few varied subject lines, that Apple's co-creator was indeed still alive. These emails contained a link to the "Hot News". Once readers clicked on the link they were led to one of thousands of web pages that were infected by the Blackhole toolkit. The infected site would then begin running an obfuscated Javascript which would look for vulnerabilities on the system of the new visitor. It would then exploit those vulnerabilities to infect them and install a backdoor on their system.

Currently we are seeing a new campaign linked to the Blackhole kit, with a new batch of domains also associated. These emails are made to look like an automated email notification from a Hewlett-Packard OfficeJet Printer. The email purports that a document was scanned and sent to the recipient, and even offers handy links from which to view them.

The links do then what anyone would now expect, and ship the unfortunate to more infected web sites. This time these sites have included an element that attempts to launch a Java routine in addition to its normal attack, which is hidden again in more obfuscated Javascript.

Currently we are seeing well over 1500 domains serving up this Blackhole toolkit created malware, and over 4.5 million pieces of emails at a rate of 30,000 per minute hitting our filters related to this most current campaign.